2891: How Jamf is Demystifying Apple's Security Myth

[00:00:00] Welcome back to the Tech Talks Daily Podcast, quick question for you all out there.

[00:00:06] Are Apple devices as secure as we once believed?

[00:00:10] Well today I'm going to be joined by Jaren Bradley, Director of ThreatLads at Jamf and

[00:00:16] we're going to discuss the significant shift in the cyber security landscape for Apple

[00:00:21] technologies.

[00:00:22] As these devices become staples in our professional lives from iPhones to iPads to MacBooks

[00:00:30] and iMacs in the workplace, they're also becoming bigger targets for sophisticated cyber threats.

[00:00:37] So I've invited Jason onto the podcast today to shed light on how the perceived invulnerability,

[00:00:44] the invincibility of Apple products is a bit of a myth of the past and also explore some

[00:00:51] of the new challenges that are emerging as a result.

[00:00:54] Now Jaren is currently on vacation in Norway but he still took time out of that vacation

[00:00:59] to sit down and talk with me after a long flight from the US so buckle up and hold on

[00:01:05] tight as I beam your ears all the way to Norway where Jaren Bradley, Director of ThreatLabs

[00:01:10] at Jamf is ready to talk about all this and much more.

[00:01:15] So a massive warm welcome to the show.

[00:01:18] Can you tell everyone listening a little about who you are and what you do?

[00:01:22] Yeah so my name is Jaren Bradley.

[00:01:26] I'm the director on the ThreatLabs team at Jamf where we research new ways to protect

[00:01:32] the Apple ecosystem and keep it safe from cyber threats.

[00:01:35] So Jamf Protect is a product that we offer and it does just that.

[00:01:40] So the team I run is responsible for essentially finding and applying threat intel and detections

[00:01:47] that feed the product.

[00:01:48] Well it's a huge pleasure to have you on the podcast.

[00:01:50] So much I want to talk about today and every day we talk about a different topic

[00:01:54] here trying to demystify and to set the same for our conversation today.

[00:01:59] Can you tell me a little about the shift in the nature of malware and how that's affecting

[00:02:04] Apple devices in recent years because for a long time many Apple fans have been almost

[00:02:10] cocky and arrogant but I think hey well that doesn't bother me.

[00:02:13] I'm an OS guy we don't get affected by that stuff but of course that is not true.

[00:02:18] How has the threat landscape evolved from Adware to more severe threats like Trojans etc.

[00:02:26] What are you saying here?

[00:02:27] You're not wrong and I agree fully with what you're saying in terms of there's even been

[00:02:31] a level of cockiness in terms of oh we don't get viruses on this side right.

[00:02:36] It did kind of, we did kind of start with Adware on the Mac OS side and we saw a lot

[00:02:41] of it.

[00:02:42] We still do in fact and Adware itself is in some ways because it's been at it so long

[00:02:48] on Mac OS some of the malware creators or adware creators are very effective still like

[00:02:55] getting people to install and click on what they're going for.

[00:03:00] Flash downloaders that's been gone for ages but people still think when they visit a site

[00:03:04] that has a video on it they have to install flash and they'll click on whatever instructs

[00:03:08] them to do so right.

[00:03:10] Adware has continued to be really prominent but yes you're right in saying that we've certainly

[00:03:17] shifted towards more things like APT based attacks.

[00:03:22] A lot of actors when they're writing their malware they'll use a language that can easily

[00:03:30] build multi-platform and they'll build something that will run on the Mac operating system.

[00:03:37] The 3CX hack from last year is kind of a great example.

[00:03:43] That chain attack where they kind of came in, the attackers came in and infected the software

[00:03:52] essentially they backdoor the Mac OS product as well right which tells you that threat

[00:03:58] actors are seeing value and going out of their way to also attack the Mac OS ecosystem.

[00:04:05] Lazarus group, North Korean attacker we've seen numerous attacks from them and a lot of

[00:04:12] malware development for them focused on the Mac OS ecosystem.

[00:04:17] Essentially you figure you got a lot of people looking into or building tools a lot of developer

[00:04:23] systems are running Macs now and developer systems are usually loaded with all kinds

[00:04:29] of access to different machines and stuff like that so yeah it's certainly becoming more popular.

[00:04:37] Yeah and I think it might have been last year I had Lynn Lam the CIO of Jamf Software she was

[00:04:44] talking to me about the root causes of tension between IT and security teams and with

[00:04:50] Apple devices becoming ubiquitous in work environments now what are some of the

[00:04:56] common misconceptions that companies still hold about the security of these devices because

[00:05:02] this tension now too isn't it? Yeah and that comes back even to what you

[00:05:09] were already kind of stating people just have this outlook on it that is invincible right

[00:05:15] we still kind of remember the Mac versus PC commercials and I'm a Mac I don't give viruses

[00:05:21] and back then that might have only been a slight stretch and overall they're kind of

[00:05:26] being fairly honest but right now with the market share kind of shifting a little bit

[00:05:31] I think we're somewhere around 15% for the Mac OS ecosystems or 15% on laptops being Macs

[00:05:40] that's a pretty big percentage right so when you think about as an attack like from the

[00:05:45] attacker perspective like if you're setting up some very large attack then you're gonna

[00:05:52] miss out on 15% of the computers or there's a 15% chance that your malware won't detonate

[00:05:58] on a victim system right like that's a fairly high chance if you're putting in a lot of work

[00:06:02] to try and social engineer somebody so I think they're just coming in actors are coming in

[00:06:09] just more ready for the fact that they're their user that thereafter might be running the Mac OS ecosystem

[00:06:18] and just to bring to life what we're talking about here do you have any

[00:06:21] specific examples of these threats and maybe explain the potential impact on organizations

[00:06:28] because there will be some people out there that are unaware of the kind of threats we're

[00:06:32] talking about are there any examples you can share? Lately in the macOS world we've been

[00:06:38] seeing a lot of info stealers in other words like Atomic Stealer is a big name both on the

[00:06:45] Windows side and on the Mac side actors are selling it kind of on the on the black market for like some

[00:06:52] couple grand a month I believe was the last report and users can buy it embedded into malware

[00:06:57] we've seen it distributed we did a recent blog post on Atomic Stealer being distributed

[00:07:05] through Google sponsored links when people go out looking for you know a quick download for an app

[00:07:10] there in search of they get brought to a fake website that looks nearly identical and they end up installing

[00:07:16] what is instead an info stealer instead of the app they're looking for and that kind of goes through

[00:07:22] their their keychain it puts their keychain into a zip file along with some of their cookies

[00:07:28] from their different browsers basically the goal of it is to steal a ton of passwords

[00:07:32] and by the looks of it ultimately use a lot of those passwords to try and get access to any

[00:07:37] maybe crypto wallets that they might own so the crypto the crypto world is under heavy attack I

[00:07:44] would say on the macOS side there's certainly a lot of malware after that and a lot of apT

[00:07:50] actors after users bitcoin wallets and etc. And given the growing concerns around mac malware

[00:07:57] and some of those concerns we've probably just triggered and set off light bulb moments

[00:08:02] what steps should organizations be taking to enhance their cyber security measures specifically for

[00:08:07] those Apple devices in particular in digital and creative teams etc. in an organization what should

[00:08:13] those businesses and IT departments be doing? Yeah I think ultimately the answer to that comes

[00:08:18] back to just caring for your Macs in the same manner that you care for your Windows systems

[00:08:24] don't stop treating them like they're invincible just because they're not Windows systems. For those

[00:08:30] with dedicated security teams train your analysts, train your socks whatever it is to analyze Macs and

[00:08:37] how to look at that data don't just have the one Mac guy. This is a numerous thing that we see at

[00:08:43] a lot of different companies with a security team is that everybody's kind of focused on the

[00:08:48] Windows environment if something shows up Mac they pass it to the one Mac guy that actually

[00:08:53] knows what the operating system kind of looks like and how it should behave. I've experienced this

[00:08:58] myself you know and in past jobs and past roles and really we should all be learning that kind

[00:09:05] of skill set so we know what we're looking at. 100% I've been in IT departments, I've been in

[00:09:11] support teams many many years ago when the CEO or somebody brings the Mac out you'd see the

[00:09:16] look of tarot on all the IT techies faces because there's always only one Mac guy isn't

[00:09:22] that am I right you are. It's true and you know due to the market share in the past again like it's

[00:09:28] been kind of what's required but with things changing so much I think we're gonna start to see

[00:09:36] more attacks on the Mac side. An example I give of that quite a bit because it's a very easy

[00:09:42] example to look on is if you've ever read the book The Cuckoo's Egg by Cliff Stoll. Yeah

[00:09:49] so it kind of documents one of the earliest APT attacks right maybe not called APT back then but

[00:09:56] against the Berkeley network where Thread Actor was coming in and stealing ton of research from

[00:10:02] the Berkeley network and ultimately that was all done on BSD systems right the Berkeley

[00:10:09] distribution of Unix at the time and that's not because Berkeley you know BSD was

[00:10:16] more insecure than everything else it's just because it's what like the whole school was running

[00:10:20] right so it really that's kind of a prime example that comes down to the market share and what users

[00:10:26] are running it's not attackers will always find new ways to go after systems it's just about

[00:10:31] what what systems those users are running so it's kind of my go-to example. Another phrase

[00:10:36] we hear a lot of at the moment is cyber hygiene and just to make sure we don't leave anyone behind

[00:10:41] here can you just expand on the concept of cyber hygiene and in particular some of the challenges

[00:10:47] it faces when you come across mobile devices and maxing in corporate settings because we've come a

[00:10:53] long way from those BYOD days now haven't we? Yeah definitely even on Mac any Apple device

[00:11:00] honestly but if it's not you know a laptop um a lot of it is just some of the same

[00:11:05] knowledge some of the same windows some of the same windows knowledge that

[00:11:08] we've always had you know don't click on the links you don't trust on the Mac side and on the Apple

[00:11:15] side use the App Store if possible that's kind of a big check mark one right like Apple is in some

[00:11:22] manner we don't have we don't have the knowledge of what all goes into vetting apps but it requires

[00:11:27] you know various security checks in order to get your app on the App Store, sandboxing

[00:11:32] other things like that so the App Store even though you know it's not impossible

[00:11:37] for malware to make its way to the App Store it's significantly less likely than if you go

[00:11:42] download an application from the internet on the on the iPhone side we're now gonna you know

[00:11:48] we're gonna have access to the side loading of apps could be a thing and I just the App Store

[00:11:54] is there it's vetted Apple has security checks that they run on some of those apps so that's

[00:11:59] kind of a that's kind of an easy one on that side don't download apps sent to you from users

[00:12:05] you just met we've seen among actors also get on to systems by convincing someone

[00:12:14] this is the same info stealer I was speaking to earlier we've seen those actors

[00:12:18] get on systems by convincing someone to join them on a podcast believe it or not right

[00:12:24] then in order to join them you know they send an invite at the last minute saying this is

[00:12:29] the XYZ software that we use can you please jump in the meeting and then the user installs that

[00:12:34] software and it's not that software at all right so I'm glad I'm speaking with you right now and

[00:12:39] I know it's not ice but so yeah don't download apps that somebody sends you on a link especially

[00:12:46] because they can be really convincing those social engineering schemes can be very convincing and

[00:12:51] then don't approve you know every pop-up window without knowing what it is on Mac there's a lot

[00:12:55] of security features built in that that are there to tell you hey we we don't know who built

[00:13:00] this app don't open it or or hey here's a prompt for your password don't just type in your password

[00:13:06] because some app asked you to right things like that things that are very lean heavily on the social

[00:13:12] engineering side I would argue it's just good to train users up on on what what is the logical

[00:13:18] thing to do on Mac yeah and education plays such a huge part in that informing users that they

[00:13:25] shouldn't be clicking on those links being more vigilant not downloading apps from

[00:13:29] a link they're seeing an email but for the the business departments the IT departments are there

[00:13:34] any other proactive strategies that organizations might be able to implement to guard against

[00:13:40] these advanced malware attacks that are increasingly targeting Mac environments any

[00:13:45] strategies that you're seeing that might work yeah I think overall you want to you want to

[00:13:51] install software for Mac that is going to be you know that is going to help you in that

[00:13:55] fight right like all in all again obviously helps a lot if you have a security team that can be

[00:14:00] dedicated to these types of tasks but software that's going to help you in in finding the the

[00:14:08] malicious items that enter something that's Mac specific generally there are a lot of

[00:14:14] vendors out there writing writing software that has a Mac component right and there's

[00:14:20] there's nothing wrong with that those are off I'm not saying that's all bad software it's

[00:14:24] just the general overall focus is on windows and Apple devices often fall to the wayside

[00:14:31] and they're just kind of a port of oh well this works for windows so this should work you know if

[00:14:36] we take the same approach for Mac and there's some truth to that and there's some places where

[00:14:41] that falls flat I would argue so finding software that's written for Mac and and designed to protect

[00:14:48] your Apple devices and as they would say here in the UK helping businesses protect their Mac

[00:14:55] estate is is your bread and butter ultimately so how do you at Jamf help organizations protect

[00:15:01] those Apple devices and what kind of tools or services do you guys offer that that maybe address

[00:15:07] these and even more complex cyber threats that we haven't got time to go into great length today

[00:15:13] yeah definitely we put a ton of focus in that area obviously we're an Apple shop

[00:15:21] it is our only focus and in reality when it comes to much of what we're building on the security side

[00:15:28] Jamf Protect as I kind of mentioned earlier that's our threat prevention behavioral detections

[00:15:34] telemetry you know for providing events that you can threat hunt through along with

[00:15:39] device compliance management a lot of companies you know compliance management can be another thing

[00:15:46] that companies can do just make sure that what's that the standards that are out there for kind of

[00:15:51] your most secure settings for your Mac making sure those are kind of enabled and set accordingly

[00:15:58] we offer Jamf Connect that's this zero trust off and identity management and even a secure

[00:16:04] proxy to kind of keep you off some zero-day phishing sites and stuff like that and then Jamf Jet P

[00:16:11] is one of our more recent sets focused on keeping you know state sponsored attacks off of

[00:16:19] off of Apple iPhones maybe more targeted in terms of you know protecting your execs or people

[00:16:26] where there might be where you might have threats existing on the iOS platform really

[00:16:32] the only ones right now kind of going after iOS are a lot of the really big nation states that you

[00:16:38] know have deep pockets enough to buy zero days or malware you know the Pegasus malware

[00:16:44] really really big attacks right and so us trying to protect against that on iOS as well

[00:16:52] to help our customers out. Well a huge thank you for taking time out of your vacation while

[00:16:58] you're in Norway at the moment to share some of these insights shine a light on this topic it is so

[00:17:04] important and I suspect as you have been doing a little bit of traveling you're going to be carrying

[00:17:08] a pair of noise cancelling headphones or maybe a book so I'm going to ask you to leave one final

[00:17:13] gift to everyone listening and that is a book that you would recommend that we can add to our

[00:17:17] Amazon wishlist or a song that we can add to our Spotify playlist all I'll ask is what would

[00:17:22] you like to add and why? Yeah yeah I'll go the book route mostly because right now I happen to be right

[00:17:29] on theme with this as I'm currently going through the Steve Jobs biography which you know kind of

[00:17:37] focuses on the history of Apple and the creation of Apple and the journey Steve Jobs went on from

[00:17:44] creating it to kind of falling off of it to coming back and it is a really interesting story

[00:17:51] I think throughout it there is a number of ways in which Steve Jobs treats people in which you know

[00:17:57] I hope I have some different management skills in that but it is truly an interesting story

[00:18:07] to kind of go through and read about just the history of Apple so.

[00:18:13] Yeah great choice I've got to add it to Amazon wishlist and I've had John Scully on here

[00:18:18] once he was telling me that story where I think Steve Jobs came and said do you want to sit here

[00:18:23] and sell sugar water for the rest of your life or come and change the world with me makes the

[00:18:28] hairs on the back here next and we also had Guy Cowers-Aquillon revealing some stories behind

[00:18:32] the scene as well so yeah great choice and for anyone listening just wanting to find out more

[00:18:38] information about Jamf about how you might be able to help and further explore this or maybe

[00:18:43] even contact your or your team where's the best starting point for everything.

[00:18:47] Yeah you can check out jamf.com to kind of view what we're up to and what we create you know Jamf has

[00:18:53] a reputation of being an MDM company which of course we are and we help people manage their

[00:18:58] Apple devices but the security offering obviously like I said we have a whole slew of things there

[00:19:03] so you can check out that and what we're up to there you can also look up the threat labs

[00:19:09] Jamf blog that's an easy one to just google and find you can see what we've been up to and kind of

[00:19:15] some of the threats that we've been blogging about that have gotten up there lastly I also on the side

[00:19:21] blog a fair bits on the it's called themittenmac.com I just do some personal blogging there

[00:19:28] about internals the internal operating system of macOS and how it operates and then tie that

[00:19:34] into security threats too. Awesome well I'll get links added to everything you mentioned there

[00:19:40] to the show notes so everyone listening can find out more information and I learned so much today

[00:19:45] as you said not so long ago the myth of Apple security and invincibility was as strong as ever

[00:19:51] but Apple threats are becoming more sophisticated more diverse and many organizations are

[00:19:56] sadly not prepared for those risks so thank you so much for taking the time to come out here

[00:20:02] sit down with me talk about the changes seen in macmo where the trojans rant somewhere

[00:20:07] and how it's actually impacting organization cyber risk and the abysmal state of cyber hygiene

[00:20:13] in some places but after shining a light on it today I'm hopeful that can change and

[00:20:19] a big thank you for helping in that fight yeah thanks so much for having me it's a pleasure

[00:20:23] I think we uncovered some critical insights today about the evolving threats to Apple devices

[00:20:28] with Jason Bradley and it's clear that that security landscape is changing and as a result

[00:20:35] our approach must adapt swiftly to keep pace with that but the big question is what steps will you

[00:20:42] take to enhance the cyber resilience of your Apple devices whether it's in your home or the

[00:20:47] workplace and I'd love to hear your thoughts on everything we talked about today from the

[00:20:52] such as the shift in the Apple device threat landscape misconceptions about mac security

[00:20:58] improving mac cyber hygiene and what solutions or strategies you're putting in place

[00:21:04] please let me know email me tech blog writer outlook.com twitter linked in instagram just at

[00:21:09] nilcq's let's keep this conversation going I hope you learn a few things from today's

[00:21:14] conversation I certainly did and I'm going to try and learn a few I will try and learn a

[00:21:19] few other things about a completely different topic tomorrow but thank you for listening

[00:21:23] today and until next time don't be a stranger